Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate Cloud 24.4.0 Administration Guide
    24.4.0
    24.4.0
    24.3.0
    24.2.0

    Sandbox

    Sandbox

    FortiSandbox SaaS is a service that uploads and analyzes files that FortiGate antivirus (AV) marks as suspicious.

    In a proxy-based AV profile on a FortiGate, the administrator selects Inspect Suspicious Files with FortiGuard Analytics to enable a FortiGate to upload suspicious files to FortiGuard for analysis. Once uploaded, the file is executed and the resulting behavior analyzed for risk. If the file exhibits risky behavior or is found to contain a virus, a new virus signature is created and added to the FortiGuard AV signature database. The next time the FortiGate updates its AV database it has the new signature. The turnaround time on Cloud SandBoxing and AV submission ranges from ten minutes for automated SandBox detection to ten hours if FortiGuard Labs is involved.

    FortiGuard Labs considers a file suspicious if it exhibits some unusual behavior, yet does not contain a known virus. The behaviors that FortiGate Cloud Analytics considers suspicious change depending on the current threat climate and other factors.

    The FortiGate Cloud console enables administrators to view the status of any suspicious files uploaded: pending, clean, malware, or unknown. The console also provides data on time, user, and location of the infected file for forensic analysis.

    The SandBox tab collects information that the FortiSandbox SaaS service compiles. FortiSandbox SaaS submits files to FortiGuard for threat analysis. You can configure your use of the service and view analyzed files' results.

    You must enable Cloud SandBoxing on the FortiGate and submit a suspicious file for the SandBox tab to become visible.

    FortiSandbox SaaS regions include Global, Europe, U.S., and Japan.

    The FortiSandbox SaaS feature allows the following file upload sources:

    • File uploads from FortiGate:

      • For a FortiGate without a FortiSandbox SaaS subscription (see License types), FortiSandbox SaaS supports up to 100 uploads per day or two uploads per minute.

      • For FortiGates with a FortiSandbox SaaS subscription, the below upload limits apply:

        FortiGate model

        Per minute

        Per day

        FortiGate 30-90/VM00

        5

        7 200

        FortiGate 100-400/VM01

        10

        14 400

        FortiGate 500-900/VM02, VM04

        20

        28 880

        FortiGate 1000-2000/VM08, VM16

        50

        72 000

        FortiGate 3000/VM32 and higher models

        100

        144 000

    • For manual uploads from FortiGate Cloud, FortiSandbox SaaS supports up to 50 uploads per day per account.
    To set up Sandbox:
    1. Complete the FortiGate Cloud Sandbox steps.
    2. In Security Profiles > AntiVirus, create a profile that has Send files to FortiSandbox Cloud for inspection configured.
    3. Create a firewall policy with logging enabled that uses the Sandbox-enabled AV profile.
    4. Once devices have uploaded some files to FortiSandbox SaaS, log in to the FortiGate Cloud portal to see the results.
    To upload a sample to Sandbox:
    1. Go to Sandbox > Scan Results.
    2. Click Upload Sample.
    3. Browse to and select a file to upload, then click Submit. Once analysis completes, Scan Results displays the results.

    Dashboard

    You can see an overview of the Sandbox results on the Dashboard.

    The Dashboard contains the following widgets:

    Widget

    Description

    System Status

    Quick view of the current state of the AV databases and load.

    Top 5 Targeted Hosts (Last 24 Hours)

    Displays which hosts received the most threats during the last 24 hours.

    Scan Result (Today and Past 7 Days)

    Shows the last eight days of results and their risk levels. You can toggle the display of clean files in the chart by selecting the checkmark in the lower right of the widget.

    Top 20 File Types (Last 24 Hours)

    Displays the most commonly analyzed file types in the last 24 hours of scanning.

    Files and On-Demand Records

    Files Records displays files that your connected device's AV has flagged as suspicious, which have been uploaded to FortiGate Cloud for FortiGuard analysis. In On-Demand, you can manually upload files for FortiGuard analysis, and view the analysis results. These pages may not appear if you do not have the FortiSandbox SaaS service enabled on the connected device.

    You can select an analysis level and click the file names for more information. On-Demand also has an Export option, which allows you to export a CSV or PDF of on-demand results, and Upload File, where you can manually upload a file for analysis.

    The maximum file size is 10 MB. The processing time may vary based on the file size.

    Setting

    In Settings > Sandbox Setting, you can configure FortiSandbox SaaS settings:

    Setting

    Description
    Enable Alert Setting
    • Enable alert emails
    • Enter multiple email addresses (separated by commas) to receive alerts
    • Set which severity levels trigger FortiGate Cloud to send alert emails
    Log Retention Set number of days to retain log data.
    Malware Package Options Select the data risk level that is automatically submitted to FortiGuard to further antithreat research.

    URL Package Options

    If multitenancy is enabled, you can also configure the target subaccount to apply Sandbox settings to. You can also choose to apply the Sandbox settings to all lower-level subaccounts of that subaccount, or not.

    To configure Sandbox alert emails:
    1. Go to Settings > Sandbox Setting.
    2. Select Enable Alert Setting.
    3. Enter email addresses into the list to contact in the event of a Sandbox alert.
    4. Select the severity levels to trigger an alert.
    5. Click Apply.
    Previous
    Next

    Sandbox

    Sandbox

    FortiSandbox SaaS is a service that uploads and analyzes files that FortiGate antivirus (AV) marks as suspicious.

    In a proxy-based AV profile on a FortiGate, the administrator selects Inspect Suspicious Files with FortiGuard Analytics to enable a FortiGate to upload suspicious files to FortiGuard for analysis. Once uploaded, the file is executed and the resulting behavior analyzed for risk. If the file exhibits risky behavior or is found to contain a virus, a new virus signature is created and added to the FortiGuard AV signature database. The next time the FortiGate updates its AV database it has the new signature. The turnaround time on Cloud SandBoxing and AV submission ranges from ten minutes for automated SandBox detection to ten hours if FortiGuard Labs is involved.

    FortiGuard Labs considers a file suspicious if it exhibits some unusual behavior, yet does not contain a known virus. The behaviors that FortiGate Cloud Analytics considers suspicious change depending on the current threat climate and other factors.

    The FortiGate Cloud console enables administrators to view the status of any suspicious files uploaded: pending, clean, malware, or unknown. The console also provides data on time, user, and location of the infected file for forensic analysis.

    The SandBox tab collects information that the FortiSandbox SaaS service compiles. FortiSandbox SaaS submits files to FortiGuard for threat analysis. You can configure your use of the service and view analyzed files' results.

    You must enable Cloud SandBoxing on the FortiGate and submit a suspicious file for the SandBox tab to become visible.

    FortiSandbox SaaS regions include Global, Europe, U.S., and Japan.

    The FortiSandbox SaaS feature allows the following file upload sources:

    • File uploads from FortiGate:

      • For a FortiGate without a FortiSandbox SaaS subscription (see License types), FortiSandbox SaaS supports up to 100 uploads per day or two uploads per minute.

      • For FortiGates with a FortiSandbox SaaS subscription, the below upload limits apply:

        FortiGate model

        Per minute

        Per day

        FortiGate 30-90/VM00

        5

        7 200

        FortiGate 100-400/VM01

        10

        14 400

        FortiGate 500-900/VM02, VM04

        20

        28 880

        FortiGate 1000-2000/VM08, VM16

        50

        72 000

        FortiGate 3000/VM32 and higher models

        100

        144 000

    • For manual uploads from FortiGate Cloud, FortiSandbox SaaS supports up to 50 uploads per day per account.
    To set up Sandbox:
    1. Complete the FortiGate Cloud Sandbox steps.
    2. In Security Profiles > AntiVirus, create a profile that has Send files to FortiSandbox Cloud for inspection configured.
    3. Create a firewall policy with logging enabled that uses the Sandbox-enabled AV profile.
    4. Once devices have uploaded some files to FortiSandbox SaaS, log in to the FortiGate Cloud portal to see the results.
    To upload a sample to Sandbox:
    1. Go to Sandbox > Scan Results.
    2. Click Upload Sample.
    3. Browse to and select a file to upload, then click Submit. Once analysis completes, Scan Results displays the results.

    Dashboard

    You can see an overview of the Sandbox results on the Dashboard.

    The Dashboard contains the following widgets:

    Widget

    Description

    System Status

    Quick view of the current state of the AV databases and load.

    Top 5 Targeted Hosts (Last 24 Hours)

    Displays which hosts received the most threats during the last 24 hours.

    Scan Result (Today and Past 7 Days)

    Shows the last eight days of results and their risk levels. You can toggle the display of clean files in the chart by selecting the checkmark in the lower right of the widget.

    Top 20 File Types (Last 24 Hours)

    Displays the most commonly analyzed file types in the last 24 hours of scanning.

    Files and On-Demand Records

    Files Records displays files that your connected device's AV has flagged as suspicious, which have been uploaded to FortiGate Cloud for FortiGuard analysis. In On-Demand, you can manually upload files for FortiGuard analysis, and view the analysis results. These pages may not appear if you do not have the FortiSandbox SaaS service enabled on the connected device.

    You can select an analysis level and click the file names for more information. On-Demand also has an Export option, which allows you to export a CSV or PDF of on-demand results, and Upload File, where you can manually upload a file for analysis.

    The maximum file size is 10 MB. The processing time may vary based on the file size.

    Setting

    In Settings > Sandbox Setting, you can configure FortiSandbox SaaS settings:

    Setting

    Description
    Enable Alert Setting
    • Enable alert emails
    • Enter multiple email addresses (separated by commas) to receive alerts
    • Set which severity levels trigger FortiGate Cloud to send alert emails
    Log Retention Set number of days to retain log data.
    Malware Package Options Select the data risk level that is automatically submitted to FortiGuard to further antithreat research.

    URL Package Options

    If multitenancy is enabled, you can also configure the target subaccount to apply Sandbox settings to. You can also choose to apply the Sandbox settings to all lower-level subaccounts of that subaccount, or not.

    To configure Sandbox alert emails:
    1. Go to Settings > Sandbox Setting.
    2. Select Enable Alert Setting.
    3. Enter email addresses into the list to contact in the event of a Sandbox alert.
    4. Select the severity levels to trigger an alert.
    5. Click Apply.
    Previous
    Next